c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
12-03-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tyrant.png
Size

36B
MD5

a1ca4bebcd03fafbe2b06a46a694e29a
SHA1

ffc88125007c23ff6711147a12f9bba9c3d197ed
SHA256

c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65
SHA512

6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache	Music.UI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	Music.UI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Content	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	Music.UI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\MuiCache	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	Music.UI.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2716	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1604	Music.UI.exe
Token: SeDebugPrivilege	1604	Music.UI.exe
Token: SeDebugPrivilege	1604	Music.UI.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
1604	Music.UI.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tyrant.png
1⤵
PID:2024

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\LimitInvoke.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe
"C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
- Suspicious use of FindShellTrayWindow
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1710224042.txt

Filesize
36KB

MD5
1576da5b4152c2767b3728dacaeb6524

SHA1
d8b84073b4509f43a74bad89f09d8d5c0a03003c

SHA256
70ce975ef84a833762dc55ca0f433127e51307fbc7bfe2ff526d471244705bd8

SHA512
bceeeeb0f0e2be16144889aae6ab5544732db84f39d4d507bd218af4b1c1e3a60f4b18fa9ea57197442e113b7226ad7d7614f70413cc8c30422a805b81fb856b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\backstack.json

Filesize
45B

MD5
674a522d4da661e10bf2faeb26211654

SHA1
53b554607f83d8c4af7a15a855c93933c1334efa

SHA256
493800fe0860fe9847458551d720bdbddfac2b45530cf39339e0ec34bf4dc169

SHA512
8e229a57a169948f0e0726a31e0602d99eed38894c9c707d7966ef91997b946b4fb010099a086b9c4d8c348355c6bf947f7172fcd100af7272c0c28a180daa91

Download Submit
memory/1604-75-0x000002083E510000-0x000002083E512000-memory.dmp

Filesize
8KB

Download
memory/1604-79-0x000002083F6F0000-0x000002083F6F2000-memory.dmp

Filesize
8KB

Download
memory/1604-80-0x000002083F6E0000-0x000002083F6E1000-memory.dmp

Filesize
4KB

Download
memory/1604-78-0x000002083EA30000-0x000002083EA32000-memory.dmp

Filesize
8KB

Download
memory/1604-77-0x000002083E960000-0x000002083E962000-memory.dmp

Filesize
8KB

Download
memory/1604-76-0x000002083E8D0000-0x000002083E8D2000-memory.dmp

Filesize
8KB

Download
memory/1604-47-0x0000020837200000-0x0000020837210000-memory.dmp

Filesize
64KB

Download
memory/1604-74-0x000002083E580000-0x000002083E582000-memory.dmp

Filesize
8KB

Download
memory/1604-73-0x0000020838F50000-0x0000020838F52000-memory.dmp

Filesize
8KB

Download
memory/1604-72-0x0000020838F40000-0x0000020838F42000-memory.dmp

Filesize
8KB

Download
memory/1604-71-0x0000020838F30000-0x0000020838F32000-memory.dmp

Filesize
8KB

Download
memory/1604-70-0x0000020838BE0000-0x0000020838BE2000-memory.dmp

Filesize
8KB

Download
memory/1604-68-0x0000020838BE0000-0x0000020838BE2000-memory.dmp

Filesize
8KB

Download
memory/1604-66-0x0000020837FF0000-0x0000020837FF1000-memory.dmp

Filesize
4KB

Download
memory/1604-55-0x0000020838AB0000-0x0000020838AC0000-memory.dmp

Filesize
64KB

Download
memory/2716-10-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-15-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-19-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-20-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-21-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-22-0x00007FFB453E0000-0x00007FFB4549D000-memory.dmp

Filesize
756KB

Download
memory/2716-23-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-41-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-42-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-43-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-44-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-45-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-46-0x00007FFB453E0000-0x00007FFB4549D000-memory.dmp

Filesize
756KB

Download
memory/2716-17-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-16-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-18-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-14-0x00007FFB038B0000-0x00007FFB038C0000-memory.dmp

Filesize
64KB

Download
memory/2716-13-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-12-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-0-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-11-0x00007FFB038B0000-0x00007FFB038C0000-memory.dmp

Filesize
64KB

Download
memory/2716-9-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-8-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-2-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-3-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-6-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-7-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-4-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download
memory/2716-5-0x00007FFB46040000-0x00007FFB46249000-memory.dmp

Filesize
2.0MB

Download
memory/2716-1-0x00007FFB060D0000-0x00007FFB060E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads